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B (U) Overview 





■ (U) What is TOR? 

■ (S//SI//REL) The TOR Problem 

■ (TS//SI//REL) EGOTISTICALGOAT 

■ (TS//SI//REL) EGOTISTICALGIRAFFE 

■ (U) Future Development 
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(U) "The Onion Router" 

(U) Enables anonymous internet activity 
° General privacy 
n Non-attribution 

° Circumvention of nation state internet policies 

(U) Hundreds of thousands of users 
D Dissidents (Iran, China, etc) 
□ (S//SI//REL) 
(S//SI//REL) Other targets too! 
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(U)TOR Browser Bundle 

° Portable Firefox 10 ESR (tbb-firefox.exe) 
° Vidalia 
° Polipo 
D TorButton 
□ TOR 
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■ (TS//SI//REL) Fingerprinting TOR 

■ (TS//SI//REL) Exploiting TOR 

■ (TS//SI//REL) Callbacks from TOR 
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Windows XP 
Firefox 10.0.5 ESR? 

■ 32-bit Windows 7 

■ Firef ox/10.0 

64-bit Mac OS X 
Firefox 10.0.4 ESR? 

■ 32-bit Windows 7 

■ Firef ox/10.0 



Ubuntu 11.10 

Firefox 10.0.7 ESR? 

■ 32-bit Windows 7 

■ Firef ox/10.0 

64-bit Windows 7 

Firefox 10.0.10 ESR? 

■ 32-bit Windows 7 

■ Firef ox/10.0 



Windows 7 

Firefox 10. o # not running TOR? 

■ 32-bit Windows 7 

■ Firef ox/10.0 
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(TS//SI//REL) FingerprintingTOR 



(TS//SI//REL) BuildID gives a timestamp for 
when the Firefox release was built 



201210 2^0^30^ 
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Year Month Day Hour Min Sec 

(TS//SI//REL) tbb-firefox' s BuildID 
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■ (TS//SI//REL)TorButton cares about TOR 
users being indistinguishable from TOR users 

■ (TS//SI//REL)We only care about TOR users 
versus non-TOR users 

■ (TS//SI//REL) Thanks toTorButton, it' s easy! 
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(TS//SI//REL) Exploiting TOR 
(TS//SI//REL) Callbacks from TOR 
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(TS//SI//REL) Exploiting TOR 



■ (TS//SI//REL) tbb-firefox is barebones 
° Flash is a no-no 

a NoScript addon pre-installed... 

...but not enabled by default! 

D TOR explicitly advises against using any addons or 
extensions other than TorButton and NoScript 

■ (TS//SI//REL) Need a native Firefox exploit 
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(TS//SI//REL) ExploitingTOR 



■ (TS//SI//REL) ERRONEOUSINGENUITY 

° Commonly known as ERIN 

D First native Firefox exploit in a long time 

D Only works against 13.0-16.0.2 

■ (TS//SI//REL) EGOTISTICALGOAT 

D Commonly known as EGGO 
D Configured for 11.0-16.0.2... 
...but the vulnerability also exists in 10.0! 
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1 (U) EGOTISTICALGOAT 
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■ (TS//SI//REL)Type confusion vulnerability in 
E4X 

■ (TS//SI//REL) Enables arbitrary read/write 
access to the process memory 

■ (TS//SI//REL) Remote code execution via the 
CTypes module 
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(TS//SI//REL) Callbacks from TOR 



■ (TS//SI//REL) Tests on Firefox 10 ESR worked 

■ (TS//SI//REL) Tests on tbb-firefox did not 

° Gained execution 

□ Didn't receive FINKDIFFERENT 

■ (TS//SI//REL) Defeated by Prefilter Hash! 

° Requests EGGI: Hash(tor_exit_ip || session_id) 
D Requests FIDI: Hash(target_ip || session_id) 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 



(TS//SI//REL) Callbacks from TOR 



■ (TS//SI//REL) Easy fix 

a Turn off prefilter hashing 
□ FUNNELOUT 

■ (TS//SI//REL)OPSEC Concerns 

° Pre-play attacks 

■ PSPs 

■ Adversarial Actors 
D Targets worth it? 
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(S//SI//REL)TheTOR Problem 




II ~> 



V i J// J 

(T3//3 




TOP SECRET//COMINT//REL TO USA. AUS. CAN, GBR, NZL 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 




m (U) Success 

1 J 


^^^^^^^ 



■ (TS//SI//REL) 24 targets successfully 
implanted with Validator during first 
weekend of release 

■ (TS//SI//REL) I 

J 

d Inspire Magazine 

d Finally exploited after eight months 
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